This project will have a two pronged approach designed to put more nails in the single-factor method of authentication. First, we will create an interactive portal where penetration testers are able to enter known information about the target. This known information can then be broken down and converted to create a large downloadable dictionary list that has been customized to the target. This list will be added to a comprehensive standard dictionary with the character conversions performed on that as well. The result would be a large list of commonly used passwords, dictionary words, target specific passwords, and various derivitives of each which should cover the vast majority of passwords used today.

−

Please fill in here as you find best.<br>

+

−

Thanks,<br>

+

−

Paulo Coimbra, Project Manager

+

+

The second prong of our approach will be to capture the results of all data collected into a large database. This data will be hashed with common hashing methods to create what will become the world's largest rainbow tables. A user can provide us with a hash and we can do a lookup against these tables to search for matching entries. The goal here is to put a stop to unsalted password hashes for authentication.

+

We likely have one final non-technical objective here which is to educate end-users on the proper creation of passwords. Maybe we even have some sort of password generator based on a phrase that somebody types in. If you are interested in contributing to the project, please contact the Project Leader, Josh Sokol, at josh dot sokol at owasp dot org.

Revision as of 16:22, 23 February 2011

Main

This project will have a two pronged approach designed to put more nails in the single-factor method of authentication. First, we will create an interactive portal where penetration testers are able to enter known information about the target. This known information can then be broken down and converted to create a large downloadable dictionary list that has been customized to the target. This list will be added to a comprehensive standard dictionary with the character conversions performed on that as well. The result would be a large list of commonly used passwords, dictionary words, target specific passwords, and various derivitives of each which should cover the vast majority of passwords used today.

The second prong of our approach will be to capture the results of all data collected into a large database. This data will be hashed with common hashing methods to create what will become the world's largest rainbow tables. A user can provide us with a hash and we can do a lookup against these tables to search for matching entries. The goal here is to put a stop to unsalted password hashes for authentication.

We likely have one final non-technical objective here which is to educate end-users on the proper creation of passwords. Maybe we even have some sort of password generator based on a phrase that somebody types in. If you are interested in contributing to the project, please contact the Project Leader, Josh Sokol, at josh dot sokol at owasp dot org.

Project About

PROJECT INFOWhat does this OWASP project offer you?

RELEASE(S) INFOWhat releases are available for this project?

what

is this project?

Name: OWASP Secure Password Project (home page)

Purpose: The majority of the world's authentication systems rely on a single-factor authentication mechanism: the password. A simple internet search yields thousands of pages dedicated to the topic of creating a secure password, but almost all of them are inherently flawed in that they recommend using either joining pieces of known information to compile a secure password or variations of character conversion schemes on commonly known words and phrases. The inherent problem with this approach is that if the pieces are known, then it is fairly trivial to compute the variations that compile the whole password.

This project will have a two pronged approach designed to put more nails in the single-factor method of authentication.

First, we will create an interactive portal where penetration testers are able to enter known information about the target. This known information can then be broken down and converted to create a large downloadable dictionary list that has been customized to the target. This list will be added to a comprehensive standard dictionary with the character conversions performed on that as well. The result would be a large list of commonly used passwords, dictionary words, target specific passwords, and various derivitives of each which should cover the vast majority of passwords used today.

The second prong of our approach will be to capture the results of all data collected into a large database. This data will be hashed with common hashing methods to create what will become the world's largest rainbow tables. A user can provide us with a hash and we can do a lookup against these tables to search for matching entries. The goal here is to put a stop to unsalted password hashes for authentication.